Feed on
Posts
Comments

So have this day ended and the event was very interesting and inspiring. We made deep dives in many topics and it was very interesting to have the different views on privacy from Sweden, Germany, Israel, Ireland and more. It turned out that Swedes as me in general have a more open view of surveillance and “loss” of privacy compared to other countries.

It was a very interesting notion that trust was so hard to actually measure and use and still it is so important when doing business. What use is a contract actually? Only reason to sign a contract is to handle situation were trust goes to distrust. Still is a binary thing. Either you trust or distrust.

A very interesting notion came up as well: delivering cleansing of your internet presence. There is a possible business in providing tools and services to actually have disturbing information on internet removed. Any company providing this service could make a fortune.

In the end of the day there is a lot of very interesting work to be done in the area of security. Just tag along and gear up!

This is a very sad day. In Sweden 10-year old Engla was found dead and a 42-year old have confessed murder. Read the sad story here .

What have this to do with security architecure? When looking at the background for the 42-year old we see (according to the news) that he was convicted for physical abuse, suspect of attempt of rape and during the course of this event suspect (and confessed) of murder. All in all not a very nice guy if you ask me.

He was employed as a truck driver and that is probably not a very sensitive line of work when you look at information security. But have you made a background check on your CSO, your CIO, your engineers and the computer administrators? How could you be sure that you have not employed people with bad credit rating, suspect of theft or fraud or is having way to much contact with the underground? 70% of all security related incidents is internal and still background checks are seldom done at sensitive positions.

This will not bring Engla back to life but I wow to bring the issue of personal security up on GIO on Tuesday. By giving all the people there my view on security I hope that at least a few enterprises take the responsibility to protect the common man from harm.

I have been honoured to be a speaker at Global Innovation Outlook: Security and Society the 15th of april in Berlin. I will report here after the event.

Last week there was a credit card incident in Sweden at a large retailer. Sometime during the day a few cashiers noticed something strange with the EFT-terminals. A further inspection revealed that the terminals had been manipulated to capture and send the credit card information to a wireless unit. The police said that persons behind this most probably have hidden in the store at closing time and did their work during the night.

This event reveals several interesting questions. How is EFT-terminals classified in a retailer? Should they be protected or should they be examined every morning? It is also interesting that the criminals actually are willing to take the risk to hide in the store even if there is a large risk of detection. At customs at the Oresund bridge several cars have been stopped where skimming tools have been found. I think that there will be a large increase of this type of crimes during the year. In Europe 11 incidents are reported every week. I think that it will be more close to 20 when this year is over. 1.5 years ago I wrote a risk analysis for a customer looking five years forward for the threats affecting their infrastructure and their company from an IT-perspective. Trojans and fraud were the biggest threats that would be in effect within two years. Year three would show an increase in DDOS used for blackmailing. I just hope that I am not correct in this as well.

Last week there was still another site hacked in Sweden. This time it was Dataföreningen (in English Computer Association) who lost quite a lot of user accounts (mine included) out to the internet. Within hours I saw several attempts to log on to my mail and my website (everything was logged and remediation actions have been taken). The most interesting with this event is that when accounts are published on internet searches are done to find where that particular username is used and then logon attempts are made with the same password as in the hacked site.

Taking this one step further and looking at your VPN solution. Do your users use the same username and password there as they use on internet? Sadly it is most likely the case. You could (and should) pass a policy stating that this was not allowed but that would be rather hard to enforce. From a logon perspective you should implement two factor authentications for external access to mitigate the problem.

Encrypting the hard drive on a computer has for long been a way to secure the contents of a laptop. Today I saw an video and read a rather disturbing whitepaper here on how to break different encryption schemes like Microsoft Bitlocker, Truecrypt and Applecrypt by simply rebooting the computer with an attached USB drive containing applications for dumping the memory contents from the computer, find the encryption key and accessing the hard drive. The attack took only a few minutes to implement.

This means that it is not only enough to encrypt the drive, policies on how to close the computer, handling it the first 5 minutes after closedown and not allowing any other boot beside from hard drive without supplying a special password, hardware token or something else to mitigate external boot of the computer. Also physical changes have to be done making access to the memory chips harder to achieve.

In the future a function to erase the memory of the computer at shutdown has to be implemented as well in BIOS or in some other way.

Even if I applaud at the elegance of finding such a way to break encryption it still is a hard to swallow that a rather strong security mechanism could be defeated that easily. I will monitor the events this creates closely.

Today I attended a very interesting seminar regarding Business Intelligence (BI) held by Ronny Seehus, Vice President and Head of Business Intelligence Consulting in Capgemini Norway. As a very skilled business manager Ronny easily explained how the BI business should be focused on information and information usage rather than from the technology perspective. In several key areas security was a success factor in the delivery due to the sometimes sensible information handled by the solutions. One very interesting point was the importance of having correct and valid information. This is of course nothing new within BI but when looking at the business problems with achieving high quality data it quickly turned out that it was very seldom that data actually was classified from an integrity point of view. Very often data from several different sources was treated as having an equal value. One way to solve this is by implementing Master Data Management.

If we take a step back and look at the theories from Jericho Forum regarding deparameterization and moving security to the information level instead by implementing encrypting and other solutions the step to apply the same theories for handling integrity and correctness of data is rather short. In the same way as you do your confidentiality classification you should classify the integrity and correctness of your data. By implementing filters in your BI solutions you could actually decide what quality you want to have in your reports and applying this into your analysis.

EDIT: The installation is now upgraded to the latest version. User registration have been turned on again.

In todays newspaper there was an article regarding a fraud attempt using a remote access device physical connected to the computer. Thanks to a resourceful employee the attempt failed. This still opens up for questions regarding where you have your boundries for your trusted computing base. Could you trust your clients anymore when they have contact with internet and could be remote controlled? Even if this attempt was a bit more sophisticated trojans exists with the same functionality, total control. I would suggest that for critical systems client computers should not be allowed to have access to internet at the same time as they are communicating with the system. This could be solve by using for example SSL-VPN or some other solution that limits the network. A firewall is not good enough becuase it often allows outgoing traffic. Port filtering is often circumvented by mascerading the traffic.

In the end of the day you should update your riskanalysis to include physical attempts of computer access inside your buildings and act occording to the result. The days when we could be lax with security is over, sadly.

During the last weeks there have been reports of several sites beeing hacked and having lost their account database and all personal information. Today there was an article in a swedish newspaper of a site adminstering a discount card for about 1 000 000 students.

Lets take a look at the information that was lost. Username and password is always a problem as they most probably are used on other sites. Personal information (swedish social security number, name, adress) are publicly available information through a register in sweden named SPAR. One could argue that the dataloss it not sensitive because of this but what is neglected is that we have personal information in conjuction with logins. This means that it is possible for the hackers to start creating accounts on sites where it is possible to commit fraud using the personal information.

To sum it up: When you look at the parts of information you have it may not be sensible but when you se it in a context and in conjuction with some other information it creates a whole new picture. This is why you have to be sure to handle security with your information architecture.

« Newer Posts - Older Posts »